2395287 – (CVE-2023-53219) CVE-2023-53219 kernel: media: netup_unidvb: fix use-after-free at del_timer()

Bug 2395287 (CVE-2023-53219) - CVE-2023-53219 kernel: media: netup_unidvb: fix use-after-free at del_timer()

Summary: CVE-2023-53219 kernel: media: netup_unidvb: fix use-after-free at del_timer()

Keywords:
Status:	NEW
Alias:	CVE-2023-53219
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-15 15:05 UTC by OSIDB Bzimport
Modified:	2025-11-26 08:53 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:05:29 UTC

In the Linux kernel, the following vulnerability has been resolved:

media: netup_unidvb: fix use-after-free at del_timer()

When Universal DVB card is detaching, netup_unidvb_dma_fini()
uses del_timer() to stop dma->timeout timer. But when timer
handler netup_unidvb_dma_timeout() is running, del_timer()
could not stop it. As a result, the use-after-free bug could
happen. The process is shown below:

    (cleanup routine)          |        (timer routine)
                               | mod_timer(&dev->tx_sim_timer, ..)
netup_unidvb_finidev()         | (wait a time)
  netup_unidvb_dma_fini()      | netup_unidvb_dma_timeout()
    del_timer(&dma->timeout);  |
                               |   ndev->pci_dev->dev //USE

Fix by changing del_timer() to del_timer_sync().

Comment 1 Keith Grant 2025-09-16 12:30:28 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091512-CVE-2023-53219-bd20@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.